Now that I've used the "Save results" button on my search results and can access them through the jobs screen, where is that saved result data being kept? Are they in the same index as they were when I found them? Have those results been copied to a new index? Are those results in some extra-index phantom zone?
My main reason for asking is that I want to know if they are subject to the same retention/rollover schedule as the indexes in which those results lived before I searched them out and captured them with "save results."
Saved search results are coming from the index they've initially been pulled from, however, the results are pulled from on disk in the $SPLUNK_HOME/var/run/splunk/dispatch/search/ folder.
As an example, here are some of mine, again, in $SPLUNK_HOME/splunk/var/run/splunk/dispatch:
drwx------ 2 stuff things 4096 May 26 10:15 scheduler__nobody__search_SW5kZXhpbmcgd29ya2xvYWQ_at_1306430100_7edee2e2cfcda8eb drwx------ 2 stuff things 4096 May 26 10:30 scheduler__nobody__search_SW5kZXhpbmcgd29ya2xvYWQ_at_1306431000_ff79649bab08acd2 drwx------ 2 stuff things 4096 May 26 10:35 scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1306431300_42a445258b88c357 drwx------ 2 stuff things 4096 May 26 10:40 scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1306431600_e21d10240c010dc6
The results would be held on disk until the TTL for that particular search expires, irrespective of if the retention policy has rolled the events from cold to frozen.
Once they are frozen, your search will never return those results again unless you are using a coldToFrozenDir or script and you've thawed the data.
They are subject to the same retention policy, but since they are held on disk until the job expires, you won't see the effect until that occurs.
Thank you for the great answer. Would I be able to adjust the TTL of that saved search, say, through savedsearches.conf? Dispatch.ttl seems almost like what I'm looking for, but the conf description introduces some ambiguities.
Yes, you can adjust the ttl by setting
dispatch.ttl. That is exactly what it is for. You can also set it when you dispatch the saved search using the
-timeout parameter on the CLI, or the
timeout parameter in the REST API.